<div dir="ltr"><pre>-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Hi,
I noticed that in the instructions for using Homebrew to install Tor on OSX, the instructions say:
> As with any application, you should make sure it came unmodified from the orginal source. Unfortunately, Homebrew does not come with integrated verification for downloads, and anyone could submit a modified Tor!
If you use a [Brew Tap](<a href="https://github.com/Homebrew/homebrew/wiki/brew-tap">https://github.com/Homebrew/homebrew/wiki/brew-tap</a>), you can have a separate repository (which must be on Github) to track the Tor formula. I believe that if the Tor Project owns that repository, there should be higher confidence that a user installing Tor with Homebrew is installing the intended source code, so long as the user runs `brew install TheTorProject/tor/tor` (instead of just `brew install tor`, which will use the formula in the main Homebrew repo).
If this sounds like something the devs desire, I have a tap repository ready to go at <a href="https://github.com/mark-rushakoff/homebrew-tor">https://github.com/mark-rushakoff/homebrew-tor</a>. It includes the tor.rb formula from Homebrew, including its full history. If you fork it to the Tor project (or perhaps Github offers a way for me to transfer ownership), then only someone affiliated with Tor will be able to approve changes to where Homebrew retrieves source code to build Tor.
The only extra work in adopting this solution would be finding a way to "deprecate" or redirect the main recipe under Homebrew. I'm not familiar enough with Homebrew to provide direction on that topic, unfortunately.
Mark Rushakoff
-----BEGIN PGP SIGNATURE-----
Version: OpenPGP.js v0.6.1-dev
Comment: <a href="http://openpgpjs.org">http://openpgpjs.org</a>
wsBcBAEBCAAQBQJT4G8NCRDqKXFAudXBCAAAcKYIAJwa99tJQOHxvzn1DyDW
DZD+ktBrAg0pZ4FEE58+n2KiH1hzeHGuhLh4mLlsD30CGlDqtjmYKiU7VR/P
g9jsQTawqmACI5KQkMkOMkdBKsjKfNwCaLxA7mdSoCHsRcmSKhQH++rg1Bli
JiQrHgi9DihNrUku2/Km7leiurBrKED1KK2KAJ9mKnVMF2iRjcV//VQ9Nbtp
WJp92mydyTnBEGYQPrt6M57WZjYvrkvYV1/eHYZpulrGcPAcXzDYnHgRhRPL
9bolbQhwyPWU6gvEdLC/+NAlCpN1Lfd/RFCyhksgVr6RT8GJFSdpjg1UVkw4
U/63nEVJR8cF0boBtUWQReQ=
=baFT
-----END PGP SIGNATURE-----
</pre></div>